CN110188573A - Subregion authorization method, device, equipment and computer readable storage medium - Google Patents
Subregion authorization method, device, equipment and computer readable storage medium Download PDFInfo
- Publication number
- CN110188573A CN110188573A CN201910459668.5A CN201910459668A CN110188573A CN 110188573 A CN110188573 A CN 110188573A CN 201910459668 A CN201910459668 A CN 201910459668A CN 110188573 A CN110188573 A CN 110188573A
- Authority
- CN
- China
- Prior art keywords
- target partition
- subregion
- active user
- path
- user
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
- 238000013475 authorization Methods 0.000 title claims abstract description 68
- 238000000034 method Methods 0.000 title claims abstract description 40
- 238000005192 partition Methods 0.000 claims abstract description 229
- 238000013507 mapping Methods 0.000 claims description 49
- 238000012986 modification Methods 0.000 claims description 43
- 230000004048 modification Effects 0.000 claims description 43
- 238000004458 analytical method Methods 0.000 claims description 2
- 238000004321 preservation Methods 0.000 claims 1
- 238000005516 engineering process Methods 0.000 abstract description 6
- 238000007726 management method Methods 0.000 description 37
- 238000004891 communication Methods 0.000 description 8
- 238000013316 zoning Methods 0.000 description 8
- 238000010586 diagram Methods 0.000 description 6
- 230000007246 mechanism Effects 0.000 description 4
- 238000012550 audit Methods 0.000 description 3
- 230000001276 controlling effect Effects 0.000 description 3
- 230000000977 initiatory effect Effects 0.000 description 3
- 238000002955 isolation Methods 0.000 description 3
- 238000012423 maintenance Methods 0.000 description 3
- 230000001105 regulatory effect Effects 0.000 description 3
- 230000007547 defect Effects 0.000 description 2
- 230000006870 function Effects 0.000 description 2
- 230000009471 action Effects 0.000 description 1
- 230000006399 behavior Effects 0.000 description 1
- 238000004364 calculation method Methods 0.000 description 1
- 238000011161 development Methods 0.000 description 1
- 230000000694 effects Effects 0.000 description 1
- 239000008187 granular material Substances 0.000 description 1
- 238000012544 monitoring process Methods 0.000 description 1
- 230000008569 process Effects 0.000 description 1
- 238000012545 processing Methods 0.000 description 1
- 230000003068 static effect Effects 0.000 description 1
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F16/00—Information retrieval; Database structures therefor; File system structures therefor
- G06F16/20—Information retrieval; Database structures therefor; File system structures therefor of structured data, e.g. relational data
- G06F16/25—Integrating or interfacing systems involving database management systems
- G06F16/254—Extract, transform and load [ETL] procedures, e.g. ETL data flows in data warehouses
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F16/00—Information retrieval; Database structures therefor; File system structures therefor
- G06F16/90—Details of database functions independent of the retrieved data types
- G06F16/903—Querying
- G06F16/90335—Query processing
- G06F16/90344—Query processing by using string matching techniques
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/60—Protecting data
- G06F21/62—Protecting access to data via a platform, e.g. using keys or access control rules
- G06F21/6218—Protecting access to data via a platform, e.g. using keys or access control rules to a system of files or objects, e.g. local or distributed file system or database
- G06F21/6245—Protecting personal data, e.g. for financial or medical purposes
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/60—Protecting data
- G06F21/64—Protecting data integrity, e.g. using checksums, certificates or signatures
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F40/00—Handling natural language data
- G06F40/20—Natural language analysis
- G06F40/205—Parsing
- G06F40/211—Syntactic parsing, e.g. based on context-free grammar [CFG] or unification grammars
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F40/00—Handling natural language data
- G06F40/20—Natural language analysis
- G06F40/253—Grammatical analysis; Style critique
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06Q—INFORMATION AND COMMUNICATION TECHNOLOGY [ICT] SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES; SYSTEMS OR METHODS SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES, NOT OTHERWISE PROVIDED FOR
- G06Q40/00—Finance; Insurance; Tax strategies; Processing of corporate or income taxes
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F2221/00—Indexing scheme relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F2221/21—Indexing scheme relating to G06F21/00 and subgroups addressing additional information or applications relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F2221/2141—Access rights, e.g. capability lists, access control lists, access tables, access matrices
Landscapes
- Engineering & Computer Science (AREA)
- Theoretical Computer Science (AREA)
- Physics & Mathematics (AREA)
- General Physics & Mathematics (AREA)
- General Engineering & Computer Science (AREA)
- Databases & Information Systems (AREA)
- Health & Medical Sciences (AREA)
- General Health & Medical Sciences (AREA)
- Computer Security & Cryptography (AREA)
- Bioethics (AREA)
- Computational Linguistics (AREA)
- Software Systems (AREA)
- Artificial Intelligence (AREA)
- Computer Hardware Design (AREA)
- Data Mining & Analysis (AREA)
- Business, Economics & Management (AREA)
- Audiology, Speech & Language Pathology (AREA)
- Economics (AREA)
- Medical Informatics (AREA)
- Finance (AREA)
- Marketing (AREA)
- Strategic Management (AREA)
- Technology Law (AREA)
- General Business, Economics & Management (AREA)
- Development Economics (AREA)
- Accounting & Taxation (AREA)
- Storage Device Security (AREA)
Abstract
The present invention relates to the big data fields of financial technology, and a kind of subregion authorization method, device, equipment and computer readable storage medium are disclosed, method includes the following steps: receiving the target partition path of the target partition requested access to by the active user that the end Hive is sent and active user identifies;Whether there is the data access authority of target partition according to target partition path, active user's mark and default authentication policy verifying active user;If active user has the data access authority of target partition, the end Hive is allowed to provide the data access service of target partition to active user.The present invention carries out subregion authorization to the data access service at the end Hive by the subregion authentication policy at the end Ranger, partition data relevant to oneself business can only be operated by realizing different business user, and then realize the more fine-grained security permission management of financial infrastructure (distribution, cloud computing, block chain etc.).
Description
Technical field
The present invention relates to the big data technical field of financial technology (Fintech) more particularly to a kind of subregion authorization method,
Device, equipment and computer readable storage medium.
Background technique
With the development of computer technology, more and more technology (big data, distribution, block chain Blockchain, people
Work intelligence etc.) it applies in financial field, traditional financial industry gradually changes to financial technology (Fintech), but due to finance
The safety of industry, requirement of real-time, also to technology, more stringent requirements are proposed.
For big data platform safety management, with the growth of data volume, the increase of user, business is more and more multiple
It is miscellaneous, it is a kind of centralization and fine granularity authority control method be also to become more and more important.Apache Ranger is exactly a very good solution
Scheme, it can support the centralized management of each component of the Hadoop ecosphere well, moreover it is possible to provide very fine-grained permission pipe
Reason, is able to satisfy daily most security permission regulatory requirement.But its support or existing defects to Hive, such as do not support
Zoning permissions control to partition table.
Summary of the invention
The main purpose of the present invention is to provide a kind of subregion authorization method, device, equipment and computer-readable storage mediums
Matter, it is intended to solve prior art Ranger and not support the technical issues of carrying out permission control by subregion.
To achieve the above object, the present invention provides a kind of subregion authorization method, and the subregion authorization method is applied to
The end Ranger, the subregion authorization method the following steps are included:
Receive target partition path and the active user of the target partition requested access to by the active user that the end Hive is sent
Mark;
Verify whether the active user has according to the target partition path, active user's mark and default authentication policy
There is the data access authority of the target partition;
If the active user has the data access authority of the target partition, allow the end Hive to the current use
Family provides the data access service of the target partition.
Optionally, the target partition path and active user's mark are visited by the request that the end Hive receives active user's input
The access sentence for asking target partition carries out morphology parsing and syntax parsing to the access sentence and obtains syntax tree, then from described
It is extracted in syntax tree and obtains target partition path and active user's mark.
Optionally, the target partition path for receiving the target partition requested access to by the active user that the end Hive is sent
Before the step of active user's mark, further includes:
Receive strategy modification instruction when, according to the strategy modification instruction carry subregion path and with the subregion
The user identifier of path phase mapping modifies default authentication policy, and modified default authentication policy is saved;
It is described to be according to the target partition path, active user's mark and the default authentication policy verifying active user
The step of no data access authority with the target partition includes:
The current use is verified according to the target partition path, active user's mark and modified default authentication policy
Whether family has the data access authority of the target partition.
Optionally, the subregion path that the strategy modification instruction carries is the character string containing asterisk wildcard, described to receive
To when strategy modification instruction, the subregion path carried and the use with subregion path phase mapping are instructed according to the strategy modification
Family mark modifies default authentication policy, and the step of modified default authentication policy is saved includes:
When receiving strategy modification instruction, all subregion roads corresponding with the character string containing asterisk wildcard are retrieved
Diameter;
Referred to according to all subregion paths corresponding with the character string containing asterisk wildcard and the strategy modification
It enables the user identifier carried modify default authentication policy, and modified default authentication policy is saved.
Optionally, described to work as according to the target partition path, active user's mark and the verifying of default authentication policy
Whether preceding user there is the step of data access authority of the target partition to include:
The user with target partition path phase mapping is obtained according to the target partition path and default authentication policy
Mark;
Judgement identifies whether unanimously with the user identifier of target partition path phase mapping and the active user;
It is described current if consistent with the user identifier of target partition path phase mapping and active user mark
User has the data access authority of the target partition;
If the user identifier and active user mark with target partition path phase mapping are inconsistent, described to work as
Preceding user does not have the data access authority of the target partition.
Optionally, the target partition path for receiving the target partition requested access to by the active user that the end Hive is sent
Before the step of active user's mark, further includes:
When receiving permission object addition instruction, data bins are added in the rights management table in the metadata of Ranger
Library tool divisional type allows the user to input target partition path by the end Hive, and the rights management table defines
The object of pending rights management in Ranger.
Optionally, if the active user has the data access authority of the target partition, allow the end Hive
The step of providing the data access service of the target partition to the active user include:
If the active user has the data access authority of the target partition, when obtaining the registration of the user identifier
Between;
There is provided what the target partition updated after the registion time to the active user by the end Hive
The data access service of data.
Further, to achieve the above object, the present invention also provides a kind of subregion authorization device, the subregion authorization devices
Applied to the end Ranger, the subregion authorization device includes:
Receiving module, for receiving the target partition road of the target partition requested access to by the active user that the end Hive is sent
Diameter and active user's mark;
Authentication module, for according to the target partition path, active user's mark and the verifying of default authentication policy
Whether active user has the data access authority of the target partition;
Access modules allow Hive if having the data access authority of the target partition for the active user
It holds to the active user and the data access service of the target partition is provided.
Further, to achieve the above object, the present invention also provides a kind of subregion authorisation device, the subregion authorisation devices
Including memory, processor and it is stored in the subregion authoring program that can be run on the memory and on the processor,
The subregion authoring program realizes the step of subregion authorization method as described above when being executed by the processor.
Further, to achieve the above object, the present invention also provides a kind of computer readable storage medium, the computers
It is stored with subregion authoring program on readable storage medium storing program for executing, is realized when the subregion authoring program is executed by processor as described above
The step of subregion authorization method.
The target partition path for the target partition that the present invention is requested access to by reception by the active user that the end Hive is sent
It is identified with active user;Whether had according to target partition path, active user's mark and default authentication policy verifying active user
There is the data access authority of target partition;If active user have target partition data access authority, allow the end Hive to
The data access service of active user's offer target partition.The present invention by the end Ranger increase subregion authentication policy, according to
Subregion authentication policy carries out subregion authorization to the data access service at the end Hive, and realizing different business user can only operate and oneself
The relevant partition data of own business, has achieved the purpose that data isolation, and then realizes financial infrastructure (distributed, cloud meter
Calculation, block chain etc.) more fine-grained security permission management.
Detailed description of the invention
Fig. 1 is the structural schematic diagram for the device hardware running environment that subregion authorisation device example scheme of the present invention is related to;
Fig. 2 is the flow diagram of subregion authorization method first embodiment of the present invention;
Fig. 3 is the functional block diagram of subregion authorization device of the present invention.
The embodiments will be further described with reference to the accompanying drawings for the realization, the function and the advantages of the object of the present invention.
Specific embodiment
It should be appreciated that described herein, specific examples are only used to explain the present invention, is not intended to limit the present invention.
It should be noted that existing Apache Ranger can support the concentration of each component of the Hadoop ecosphere well
Formula management, moreover it is possible to very fine-grained rights management be provided, daily most security permission regulatory requirement is able to satisfy.But its is right
The support of Hive or existing defects, such as the zoning permissions control to partition table is not supported.
Based on drawbacks described above, the present invention provides a kind of subregion authorisation device, and referring to Fig.1, Fig. 1 is that subregion authorization of the present invention is set
The structural schematic diagram for the device hardware running environment that standby example scheme is related to.
As shown in Figure 1, the subregion authorisation device may include: processor 1001, such as CPU, communication bus 1002, user
Interface 1003, network interface 1004, memory 1005.Wherein, communication bus 1002 is for realizing the connection between these components
Communication.User interface 1003 may include display screen (Display), input unit such as keyboard (Keyboard), optional user
Interface 1003 can also include standard wireline interface and wireless interface.Network interface 1004 optionally may include having for standard
Line interface, wireless interface (such as WI-FI interface).Memory 1005 can be high speed RAM memory, be also possible to stable storage
Device (non-volatile memory), such as magnetic disk storage.Memory 1005 optionally can also be independently of aforementioned processing
The storage equipment of device 1001.
It will be understood by those skilled in the art that the hardware configuration of subregion authorisation device shown in Fig. 1 do not constitute to point
The restriction of area's authorisation device may include perhaps combining certain components or different portions than illustrating more or fewer components
Part arrangement.
As shown in Figure 1, as may include operating system, net in a kind of memory 1005 of computer readable storage medium
Network communication module, Subscriber Interface Module SIM and subregion authoring program.Wherein, operating system is to manage and control subregion authorisation device
With the program of software resource, network communication module, Subscriber Interface Module SIM, subregion authoring program and other programs or software are supported
Operation;Network communication module is for managing and controlling network interface 1004;Subscriber Interface Module SIM is for managing and controlling user
Interface 1003.
In subregion authorisation device hardware configuration shown in Fig. 1, network interface 1004 is mainly used for connecting background server,
Data communication is carried out with background server;User interface 1003 is mainly used for connecting client (user terminal), carries out with client
Data communication;Processor 1001 can call the subregion authoring program stored in memory 1005, and execute following operation:
Receive target partition path and the active user of the target partition requested access to by the active user that the end Hive is sent
Mark;
Verify whether the active user has according to the target partition path, active user's mark and default authentication policy
There is the data access authority of the target partition;
If the active user has the data access authority of the target partition, allow the end Hive to the current use
Family provides the data access service of the target partition.
Further, the target partition path and active user's mark are received the request of active user's input by the end Hive
The access sentence of access target subregion carries out morphology parsing and syntax parsing to the access sentence and obtains syntax tree, then from institute
It states to extract in syntax tree and obtains target partition path and active user's mark.
Further, the target partition road for receiving the target partition requested access to by the active user that the end Hive is sent
Before the step of diameter and active user identify, processor 1001 is also used to call the subregion authorization journey stored in memory 1005
Sequence, and execute following operation:
Receive strategy modification instruction when, according to the strategy modification instruction carry subregion path and with the subregion
The user identifier of path phase mapping modifies default authentication policy, and modified default authentication policy is saved;
It is described to be according to the target partition path, active user's mark and the default authentication policy verifying active user
The step of no data access authority with the target partition includes:
The current use is verified according to the target partition path, active user's mark and modified default authentication policy
Whether family has the data access authority of the target partition.
Further, the subregion path that the strategy modification instruction carries is the character string containing asterisk wildcard, described to connect
Receive strategy modification instruction when, according to the strategy modification instruction carry subregion path and with subregion path phase mapping
User identifier modifies default authentication policy, and the step of modified default authentication policy is saved includes:
When receiving strategy modification instruction, all subregion roads corresponding with the character string containing asterisk wildcard are retrieved
Diameter;
Referred to according to all subregion paths corresponding with the character string containing asterisk wildcard and the strategy modification
It enables the user identifier carried modify default authentication policy, and modified default authentication policy is saved.
Further, described according to the target partition path, active user's mark and the verifying of default authentication policy
Whether active user there is the step of data access authority of the target partition to include:
The user with target partition path phase mapping is obtained according to the target partition path and default authentication policy
Mark;
Judgement identifies whether unanimously with the user identifier of target partition path phase mapping and the active user;
It is described current if consistent with the user identifier of target partition path phase mapping and active user mark
User has the data access authority of the target partition;
If the user identifier and active user mark with target partition path phase mapping are inconsistent, described to work as
Preceding user does not have the data access authority of the target partition.
Further, the target partition road for receiving the target partition requested access to by the active user that the end Hive is sent
Before the step of diameter and active user identify, processor 1001 is also used to call the subregion authorization journey stored in memory 1005
Sequence, and execute following operation:
When receiving permission object addition instruction, data bins are added in the rights management table in the metadata of Ranger
Library tool divisional type allows the user to input target partition path by the end Hive, and the rights management table defines
The object of pending rights management in Ranger.
Further, if the active user has the data access authority of the target partition, allow Hive
The step of the providing the data access service of the target partition to the active user is held to include:
If the active user has the data access authority of the target partition, when obtaining the registration of the user identifier
Between;
There is provided what the target partition updated after the registion time to the active user by the end Hive
The data access service of data.
The specific embodiment of subregion authorisation device of the present invention and following each embodiments of subregion authorization method are essentially identical,
This is repeated no more.
The present invention also provides a kind of subregion authorization methods.
Hadoop: being the open source software frame that distributed treatment can be carried out to mass data.
Apache Ranger: providing a centralized security management frame, and solves to authorize and audit, it can be right
Component such as HDFS, Yarn (resource management system) of Hadoop ecology, Hive, Hbase (distributed column deposit data library) etc. are carried out
Fine-grained data access control.By controlling Ranger console, administrator can easily be controlled by configuration strategy
Access privilege.
Hive: the data file of structuring can be mapped as a number by a kind of Tool for Data Warehouse based on Hadoop
According to library table, and complete SQL (Structured Query Language, structured query language) query function is provided, it can be with
Sql sentence is converted to MapReduce task to run, Hive is based on data warehouse, the dynamic queries of static data are provided,
It uses SQL-like language, and bottom switchs to MapReduce program by compiling, runs on Hadoop, data are stored in HDFS
In (distributed file system).
Due to the security permission way to manage of existing big data, can various components be carried out with the management of right access control,
The permission of access scenario can also be controlled and be managed, but the mode of these rights managements control, also compare in granulate
It is unilateral, the actual demand of the financial institutions such as banking institution is not met far.The financial institutions such as banking institution manage more permission control
Add stringent.
Based on this, the embodiment of the invention provides the embodiments of subregion authorization method, it should be noted that although in process
Logical order is shown in figure, but in some cases, it can be to be different from shown or described by sequence execution herein
Step.
In each embodiment of subregion authorization method, for ease of description, omits executing subject and be illustrated each reality
Apply example.Referring to Fig. 2, Fig. 2 is the flow diagram of subregion authorization method first embodiment of the present invention, and the subregion authorization method is answered
For the end Ranger, the subregion authorization method includes:
Step S10, receive the target partition requested access to by the active user that the end Hive is sent target partition path and
Active user's mark;
Apache Ranger can support the centralized management of each component of the Hadoop ecosphere well, moreover it is possible to provide very
Fine-grained rights management is able to satisfy daily most security permission regulatory requirement.But it does not support zoning permissions to Hive
Control, is not able to satisfy the demand of multistage zoning permissions management.
The technical issues of carrying out permission control by subregion is not supported to solve prior art Ranger, and the present embodiment is in step
Before S10 further include: modify to increase divisional type item newly in rights management type, specifically to the metadata table of Ranger
Ground, administrator can be by operating the end Ranger, rights management table x_resource_def table in the metadata of Ranger
Middle addition Tool for Data Warehouse subregion Hive Partition type, x_resource_def table define needed in Ranger into
The object Resource of row rights management, such as some database, a certain table, a certain column.
Then, it modifies to the end Ranger authentication policy.When receiving strategy modification instruction, the end Ranger is according to institute
The subregion path and modify default authentication policy with the user identifier of subregion path phase mapping that strategy modification instruction carries are stated,
And modified default authentication policy is saved.Specifically, when receiving strategy modification instruction, the end Ranger is according to the plan
Slightly the subregion path of modification instruction carrying and the user identifier modification x_policy_ with subregion path phase mapping
Resource_map table is stored with default authentication policy, the default authentication policy packet in x_policy_resource_map table
Include subregion path and the user identifier with the access zoning permissions with its phase mapping.In addition, can also be stored with it in the table
The authentication policy of his type privilege management object (library, table, column), concrete condition the present embodiment with no restrictions, reference can be made to about
The prior art of Ranger delegated strategy, this embodiment is not repeated.
In the present embodiment, after the completion of the authentication policy modification to the end Ranger, user can pass through the initiation pair of the end Hive
The access request of target partition, access request are issued in the form of accessing sentence, and the request that Hive termination receives user's input is visited
When asking the access sentence of target partition, syntactic analysis is carried out to the access sentence and is obtained comprising target partition path and active user
The syntax tree of mark, and the target partition path and active user's mark are sent to the end Ranger, so that the end Ranger is obtained
The target partition path for taking the access sentence to carry and active user's mark.
Wherein, it is divided in operation maintenance personnel according to the data that product identification, service identification or other zoning ordinances are the end Hive
After subregion, each subregion is corresponding with unique access path, i.e. subregion path.
Step S20 verifies the current use according to the target partition path, active user's mark and default authentication policy
Whether family has the data access authority of the target partition;
It in the present embodiment, need to be to the data of active user after getting target partition path and active user's mark
Access authority is verified.Specifically, it is obtained and the target partition road according to institute's target partition path and default authentication policy
The user identifier of diameter phase mapping;Judging to identify with the user identifier of target partition path phase mapping and the active user is
It is no consistent;It is described current if consistent with the user identifier of target partition path phase mapping and active user mark
User has the data access authority of the target partition;If with the user identifier of target partition path phase mapping with it is described
Active user's mark is inconsistent, then the active user does not have the data access authority of the target partition.
Step S30 allows the end Hive to institute if the active user has the data access authority of the target partition
It states active user and the data access service of the target partition is provided.
In the present embodiment, if the end Ranger determines that active user has the data access authority of target partition, allow
The end Hive provides the data access service of target partition to active user.
For example, in bank and other financial mechanism, if business personnel requests access to the partition data of A product by the end Hive,
The end Ranger determines that business personnel has the data access authority of the partition data of A product according to default authentication policy, then Ranger
End provides the data access service of the partition data of A product by the end Hive to the business personnel.
The target partition road for the target partition that the present embodiment is requested access to by reception by the active user that the end Hive is sent
Diameter and active user's mark;It is described current according to the target partition path, active user's mark and the verifying of default authentication policy
Whether user has the data access authority of the target partition;If there are the active user data of the target partition to visit
It asks permission, then the end Hive is allowed to provide the data access service of the target partition to the active user.By in Ranger
End increases subregion authentication policy, carries out subregion authorization according to data access service of the subregion authentication policy to the end Hive, realizes
Different business user can only operate partition data relevant to oneself business, achieve the purpose that data isolation, and then realize
More fine-grained security permission management, is more in line with the actual demand of bank and other financial mechanism.
Further, subregion authorization method second embodiment of the present invention is proposed, before above-mentioned steps S10 further include:
Step S101, when receiving permission object addition instruction, in the rights management table in the metadata of Ranger
Tool for Data Warehouse divisional type is added, allows the user to input target partition path, the rights management by the end Hive
Table defines the object of pending rights management in Ranger.
In the present embodiment, in the permission object addition instruction for receiving administrator's initiation, to the metadata of Ranger
Table modify in rights management type increase newly divisional type item, specifically, administrator can by operate the end Ranger,
Tool for Data Warehouse divisional type is added in the rights management table x_resource_def table in the metadata of Ranger, i.e.,
Hive Partition type.Wherein, x_resource_def table defines the object for needing to carry out rights management in Ranger
Resource, such as some database, a certain table, a certain column.
Further, before above-mentioned steps S10 further include:
Step S11, receive strategy modification instruction when, according to the strategy modification instruction carry subregion path and with
The user identifier of subregion path phase mapping modifies default authentication policy, and modified default authentication policy is saved;
The step S20 includes:
The current use is verified according to the target partition path, active user's mark and modified default authentication policy
Whether family has the data access authority of the target partition.
Specifically, it is obtained and the target partition road according to the target partition path and modified default authentication policy
The user identifier of diameter phase mapping;Judging to identify with the user identifier of target partition path phase mapping and the active user is
It is no consistent;It is described current if consistent with the user identifier of target partition path phase mapping and active user mark
User has the data access authority of the target partition;If with the user identifier of target partition path phase mapping with it is described
Active user's mark is inconsistent, then the active user does not have the data access authority of the target partition.
It in the present embodiment, further include being modified to the metadata table of Ranger in permission pipe before step S10
It manages and increases divisional type item in type newly, specifically, administrator can be by operating Ranger console, in the metadata of Ranger
In x_resource_def table in add Hive Partition type, x_resource_def table defines in Ranger and needs
Carry out the object Resource of rights management, such as some database, a certain table, a certain column.
Then, it modifies to the end Ranger authentication policy.When receiving strategy modification instruction, the end Ranger is according to institute
The subregion path and modify default authentication policy with the user identifier of subregion path phase mapping that strategy modification instruction carries are stated,
And modified default authentication policy is saved.Specifically, when receiving strategy modification instruction, the end Ranger is according to the plan
Slightly the subregion path of modification instruction carrying and the user identifier modification x_policy_ with subregion path phase mapping
Resource_map table is stored with default authentication policy, the default authentication policy packet in x_policy_resource_map table
Include subregion path and the user identifier with the access zoning permissions with its phase mapping.In addition, can also be stored with it in the table
The authentication policy of his type privilege management object (library, table, column), concrete condition the present embodiment with no restrictions, reference can be made to about
The prior art of Ranger delegated strategy, this embodiment is not repeated.
Further, the subregion path that the strategy modification instruction carries is the character string containing asterisk wildcard, above-mentioned steps
S11 includes:
When receiving strategy modification instruction, all subregion roads corresponding with the character string containing asterisk wildcard are retrieved
Diameter;
Referred to according to all subregion paths corresponding with the character string containing asterisk wildcard and the strategy modification
It enables the user identifier carried modify default authentication policy, and modified default authentication policy is saved.
In the present embodiment, administrator need to input subregion path and corresponding user identifier when authentication policy is arranged, but
Sometimes administrator may need to be arranged a series of permission in subregion paths comprising identical characters string, if inputting subregion road one by one
Diameter efficiency is lower.And by character string of the input containing asterisk wildcard, when receiving strategy modification instruction, the end Ranger is according to upper
The string search containing asterisk wildcard is stated to obtain corresponding all subregion paths, and will be according to these subregion paths and user
Mark modifies default authentication policy, and modified default authentication policy is saved.For example, administrator want to look up with
The subregion path of fintech beginning can input fintech* and search all subregion paths started with fintech.
Further, the end Ranger gets corresponding all subregions according to the above-mentioned string search containing asterisk wildcard
Behind path, these subregion paths can be fed back to administrator, for selection, subregion path and user further according to administrator's selection
Mark modifies default authentication policy, and modified default authentication policy is saved.
Further, it if user does not know the real character in target partition path or is not desired to key in fullpath, uses
The mode that asterisk wildcard can also be used in family inputs subregion path.
Further, work as further according to target partition path, active user's mark and modified default authentication policy verifying
Whether preceding user has the data access authority of target partition.
Further, the target partition path and active user's mark are received the request of active user's input by the end Hive
The access sentence of access target subregion carries out morphology parsing and syntax parsing to the access sentence and obtains syntax tree, then from institute
It states to extract in syntax tree and obtains target partition path and active user's mark.
In the present embodiment, after the completion of the authentication policy modification to the end Ranger, user can pass through the initiation pair of the end Hive
The access request of target partition, access request are issued in the form of accessing sentence, and the end Hive is in the request for receiving user's input
When the access sentence of access target subregion, morphology parsing is carried out to the access sentence and syntax parsing obtains syntax tree, syntax tree
It is the tree-shaped form of expression of the syntactic structure of the source code for accessing sentence, described in each node expression on the syntax tree
A kind of syntactic structure for including in access sentence, then extracted from the node in the syntax tree and obtain target partition path and work as
Preceding user identifier, and the target partition path and active user's mark are sent to the end Ranger, for the acquisition of the end Ranger
The target partition path and active user's mark that the access sentence carries.
Further, user can send the access sentence to relevant partitions to the end Hive by following two method, a kind of
Beeline command-line tool, another kind be established by application program JDBC (Java DataBase Connectivity,
The connection of java database) it links, both the above method selects one implementation.
Further, after above-mentioned steps S20 further include:
If the active user does not have the data access authority of the target partition, refuse the access request, and
Alarm prompt is sent to the end Hive.
The present embodiment is modified by the metadata table to Ranger, is configured authentication policy for different subregions, is realized
More fine-grained security permission management.
Further, subregion authorization method 3rd embodiment of the present invention is proposed, above-mentioned steps S20 includes:
Step S21 is obtained according to the target partition path and default authentication policy and is set each other off with the target partition path
The user identifier penetrated;
In the present embodiment, get target partition path and active user mark after, need to according to target partition path,
Active user's mark and default authentication policy verify the data access authority of active user.Specifically, due to default mirror
Power strategy includes subregion path and the user identifier with the access zoning permissions with its phase mapping, therefore is getting target
Behind subregion path, having for phase mapping therewith can be obtained from default authentication policy according to the target partition path and accesses this point
The user identifier of area's permission.
It further, can also include: to judge whether the target partition path has to set each other off therewith before step S21
The default authentication policy penetrated;If the target partition path does not have the default authentication policy of phase mapping therewith, illustrate the target
Subregion provides data access service to all users, i.e., all users have the data access authority of the target partition;If described
Target partition path has the default authentication policy of phase mapping therewith, thens follow the steps S22.
Step S22 judges to identify whether with the user identifier of target partition path phase mapping with the active user
Unanimously;
Step S23, if consistent with the user identifier of target partition path phase mapping and active user mark,
The active user has the data access authority of the target partition;
Step S24, if the user identifier and active user mark with target partition path phase mapping are inconsistent,
Then the active user does not have the data access authority of the target partition.
In the present embodiment, it is obtained and target partition path phase mapping according to target partition path and default authentication policy
User identifier after, according to target partition path phase mapping user identifier and active user identify whether unanimously to judge it is current
Whether user has the data access authority of target partition.Specifically, if with the user identifier of target partition path phase mapping with
Active user's mark is consistent, then determines that active user has the data access authority of target partition;If with target partition path phase
The user identifier of mapping and active user's mark are inconsistent, then active user does not have the data access authority of target partition.
It further, is the fine granularity for improving subregion authorization access, above-mentioned steps S30 includes:
Step S31 obtains the user identifier if the active user has the data access authority of the target partition
Registion time;
It in the present embodiment, is the fine granularity for improving subregion authorization access, when preventing user from accessing the user's registration
Between pervious historical data, thereby reduce leaking data risk.Specifically, if it is determined that active user has the number of target partition
According to access authority, then the registion time of the user identifier is obtained.
Step S32, by the end Hive to the active user provide the target partition the registion time with
The data access service of the data updated afterwards.
After getting the registion time of the user identifier, target partition is provided to active user by the end Hive and is being registered
The data access service of the data updated after time.For example, if active user requests access to the partition data of A product, if working as
Preceding user has the data access authority of the partition data of A product, and the registion time for getting active user is in May, 2019
15:00 on the 1st, then the end Ranger by the end Hive to active user provide A product subregion after 15:00 on May 1st, 2019 more
The data access service of new data, for A product subregion on May 1st, 2019 the pervious data of 15:00 not to active user
Data access service is provided, realizes to Add User and can only see newest data, access history data is unable to, to reduce
Leaking data risk realizes more fine-grained security permission management.
Further, after above-mentioned steps S30 further include:
Step S33 records the active user in the operation log at the end Hive, examines so that operation maintenance personnel carries out safety
Meter.
In the present embodiment, the end Ranger will record active user in the operation log at the end Hive, for operation maintenance personnel into
Row security audit.Audit is a kind of mechanism of User Activity behavior in database of record, be the monitoring to selected user action and
Record, whom it can not only record and have accessed database, moreover it is possible to which which kind of operation record access person has carried out to database.In O&M people
Member's discovery data are possible to by after illegal operation, so that it may be examined by operation log all connections and operation of database
Meter, thus it can be found that the source of illegal user, the terminal used and Session Time etc..
In the present embodiment, by increasing subregion authentication policy at the end Ranger, according to subregion authentication policy to the end Hive
Data access service carry out subregion authorization, the number of partitions relevant to oneself business can only be operated by realizing different business user
According to having achieved the purpose that data isolation;Number also by providing a user the data that target partition updates after registion time
It is serviced according to access, partition data relevant to oneself business can only be operated by realizing different business user, and Adding User can only
See newest data, be unable to access history data, to reduce leaking data risk, realizes more fine-grained security permission
Management, is more in line with the actual demand of bank and other financial mechanism.
The present invention also provides a kind of subregion authorization devices.
Referring to Fig. 3, Fig. 3 is the functional block diagram of subregion authorization device first embodiment of the present invention, and the subregion is awarded
It weighs device and is applied to the end Ranger, the subregion authorization device includes:
Receiving module 10, for receiving the target partition of the target partition requested access to by the active user that the end Hive is sent
Path and active user's mark;
Authentication module 20, for verifying institute according to the target partition path, active user's mark and default authentication policy
State the data access authority whether active user has the target partition;
Access modules 30 allow if having the data access authority of the target partition for the active user
The end Hive provides the data access service of the target partition to the active user.
Further, the receiving module is also used to:
Receive target partition path and the active user of the target partition requested access to by the active user that the end Hive is sent
Mark, the target partition path and active user's mark request access to target partition by the end Hive reception active user's input
Access sentence, morphology parsing and syntax parsing are carried out to the access sentence and obtain syntax tree, then is mentioned from the syntax tree
Obtain target partition path and active user's mark.
Further, the subregion authorization device further include:
Preserving module, the subregion road for being carried according to strategy modification instruction when receiving strategy modification instruction
Diameter and default authentication policy is modified with the user identifier of subregion path phase mapping, and will modified default authentication policy guarantor
It deposits;
The authentication module is also used to according to the target partition path, active user knows and modified default authentication plan
Slightly verify the data access authority whether active user has the target partition.
Further, the preserving module is also used to:
When receiving strategy modification instruction, all subregion roads corresponding with the character string containing asterisk wildcard are retrieved
Diameter;
Referred to according to all subregion paths corresponding with the character string containing asterisk wildcard and the strategy modification
It enables the user identifier carried modify default authentication policy, and modified default authentication policy is saved.
Further, the authentication module is also used to:
The user with target partition path phase mapping is obtained according to the target partition path and default authentication policy
Mark;
Judgement identifies whether unanimously with the user identifier of target partition path phase mapping and the active user;
It is described current if consistent with the user identifier of target partition path phase mapping and active user mark
User has the data access authority of the target partition;
If the user identifier and active user mark with target partition path phase mapping are inconsistent, described to work as
Preceding user does not have the data access authority of the target partition.
Further, the subregion authorization device further include:
Adding module, for the rights management when receiving permission object addition instruction, in the metadata of Ranger
Tool for Data Warehouse divisional type is added in table, allows the user to input target partition path, the permission by the end Hive
Management table defines the object of pending rights management in Ranger.
Further, the access modules are also used to:
If the active user has the data access authority of the target partition, when obtaining the registration of the user identifier
Between;
There is provided what the target partition updated after the registion time to the active user by the end Hive
The data access service of data.
Subregion authorization device specific embodiment of the present invention and above-mentioned each embodiment of subregion authorization method are essentially identical, herein
It repeats no more.
In addition, the embodiment of the present invention also proposes a kind of computer readable storage medium.
Subregion authoring program, realization when subregion authoring program is executed by processor are stored on computer readable storage medium
The step of subregion authorization method as described above.
Computer readable storage medium specific embodiment of the present invention and the basic phase of above-mentioned each embodiment of subregion authorization method
Together, details are not described herein.
The embodiment of the present invention is described with above attached drawing, but the invention is not limited to above-mentioned specific
Embodiment, the above mentioned embodiment is only schematical, rather than restrictive, those skilled in the art
Under the inspiration of the present invention, without breaking away from the scope protected by the purposes and claims of the present invention, it can also make very much
Form, it is all using equivalent structure or equivalent flow shift made by description of the invention and accompanying drawing content, directly or indirectly
Other related technical areas are used in, all of these belong to the protection of the present invention.
Claims (10)
1. a kind of subregion authorization method, which is characterized in that the subregion authorization method is applied to the end Ranger, the subregion authorization
Method the following steps are included:
The target partition path and active user for receiving the target partition requested access to by the active user that the end Hive is sent identify;
Verify whether the active user has institute according to the target partition path, active user's mark and default authentication policy
State the data access authority of target partition;
If the active user has the data access authority of the target partition, the end Hive is allowed to mention to the active user
For the data access service of the target partition.
2. subregion authorization method as described in claim 1, which is characterized in that the target partition path and active user's mark
The access sentence for requesting access to target partition that active user's input is received by the end Hive carries out morphology solution to the access sentence
Analysis and syntax parsing obtain syntax tree, then extract from the syntax tree and obtain target partition path and active user's mark.
3. subregion authorization method as described in claim 1, which is characterized in that described to receive the active user sent by the end Hive
Before the step of target partition path of the target partition requested access to and active user identify, further includes:
Receive strategy modification instruction when, according to the strategy modification instruction carry subregion path and with the subregion path
The user identifier of phase mapping modifies default authentication policy, and modified default authentication policy is saved;
It is described to verify whether the active user has according to the target partition path, active user's mark and default authentication policy
The step of having the data access authority of the target partition includes:
Verifying the active user according to the target partition path, active user's mark and modified default authentication policy is
The no data access authority with the target partition.
4. subregion authorization method as claimed in claim 3, which is characterized in that the subregion path that the strategy modification instruction carries
It is described when receiving strategy modification instruction for the character string containing asterisk wildcard, point carried according to strategy modification instruction
Area path and default authentication policy is modified with the user identifier of subregion path phase mapping, and by modified default authentication plan
Slightly the step of preservation, includes:
When receiving strategy modification instruction, all subregion paths corresponding with the character string containing asterisk wildcard are retrieved;
It is taken according to all subregion paths corresponding with the character string containing asterisk wildcard and strategy modification instruction
The user identifier of band modifies default authentication policy, and modified default authentication policy is saved.
5. subregion authorization method as described in claim 1, which is characterized in that it is described according to the target partition path, it is current
User identifier and default authentication policy verify the step whether active user has the data access authority of the target partition
Suddenly include:
The user identifier with target partition path phase mapping is obtained according to the target partition path and default authentication policy;
Judgement identifies whether unanimously with the user identifier of target partition path phase mapping and the active user;
If consistent with the user identifier of target partition path phase mapping and active user mark, the active user
Data access authority with the target partition;
If the user identifier with target partition path phase mapping identifies inconsistent, the current use with the active user
Family does not have the data access authority of the target partition.
6. subregion authorization method as described in claim 1, which is characterized in that described to receive the active user sent by the end Hive
Before the step of target partition path of the target partition requested access to and active user identify, further includes:
When receiving permission object addition instruction, data warehouse work is added in the rights management table in the metadata of Ranger
Have divisional type, allows the user to input target partition path by the end Hive, the rights management table defines Ranger
In pending rights management object.
7. subregion authorization method as claimed in any one of claims 1 to 6, which is characterized in that if the active user has
The data access authority of the target partition, the then data for allowing the end Hive to provide the target partition to the active user are visited
The step of asking service include:
If the active user has the data access authority of the target partition, the registion time of the user identifier is obtained;
The data that the target partition updates after the registion time are provided to the active user by the end Hive
Data access service.
8. a kind of subregion authorization device, which is characterized in that the subregion authorization device is applied to the end Ranger, the subregion authorization
Device includes:
Receiving module, for receive the target partition requested access to by the active user that the end Hive is sent target partition path and
Active user's mark;
Authentication module, for described current according to the target partition path, active user's mark and the verifying of default authentication policy
Whether user has the data access authority of the target partition;
Access modules, if for the active user have the target partition data access authority, allow the end Hive to
The active user provides the data access service of the target partition.
9. a kind of subregion authorisation device, which is characterized in that the subregion authorisation device includes memory, processor and is stored in
On the memory and the subregion authoring program that can run on the processor, the subregion authoring program is by the processor
It realizes when execution such as the step of subregion authorization method of any of claims 1-7.
10. a kind of computer readable storage medium, which is characterized in that be stored with subregion on the computer readable storage medium and award
Program is weighed, such as subregion authorization of any of claims 1-7 is realized when the subregion authoring program is executed by processor
The step of method.
Priority Applications (2)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201910459668.5A CN110188573B (en) | 2019-05-27 | 2019-05-27 | Partition authorization method, partition authorization device, partition authorization equipment and computer readable storage medium |
PCT/CN2020/080558 WO2020238359A1 (en) | 2019-05-27 | 2020-03-23 | Partition authorization method, apparatus and device, and computer-readable storage medium |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201910459668.5A CN110188573B (en) | 2019-05-27 | 2019-05-27 | Partition authorization method, partition authorization device, partition authorization equipment and computer readable storage medium |
Publications (2)
Publication Number | Publication Date |
---|---|
CN110188573A true CN110188573A (en) | 2019-08-30 |
CN110188573B CN110188573B (en) | 2024-06-04 |
Family
ID=67718643
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN201910459668.5A Active CN110188573B (en) | 2019-05-27 | 2019-05-27 | Partition authorization method, partition authorization device, partition authorization equipment and computer readable storage medium |
Country Status (2)
Country | Link |
---|---|
CN (1) | CN110188573B (en) |
WO (1) | WO2020238359A1 (en) |
Cited By (9)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN110619226A (en) * | 2019-09-12 | 2019-12-27 | 秒针信息技术有限公司 | Platform-based data processing method, system, equipment and storage medium |
CN111125767A (en) * | 2019-12-26 | 2020-05-08 | 秒针信息技术有限公司 | Dynamic desensitization method, apparatus, electronic device and computer-readable storage medium |
CN111177743A (en) * | 2019-12-06 | 2020-05-19 | 西安交通大学 | Credit big data oriented risk control method and system thereof |
CN111274167A (en) * | 2020-01-21 | 2020-06-12 | 李岗 | Method and system for protecting media data |
CN111651122A (en) * | 2020-05-20 | 2020-09-11 | 远景智能国际私人投资有限公司 | Data deleting method, device, server and storage medium |
CN111797424A (en) * | 2019-11-26 | 2020-10-20 | 北京京东尚科信息技术有限公司 | Method and device for processing request |
WO2020238359A1 (en) * | 2019-05-27 | 2020-12-03 | 深圳前海微众银行股份有限公司 | Partition authorization method, apparatus and device, and computer-readable storage medium |
CN112257097A (en) * | 2020-11-23 | 2021-01-22 | 浪潮云信息技术股份公司 | Partition authority management method based on distributed database |
WO2023173908A1 (en) * | 2022-03-17 | 2023-09-21 | 华为云计算技术有限公司 | Method, apparatus and system for accessing file, and storage medium |
Citations (6)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN106462717A (en) * | 2014-06-23 | 2017-02-22 | 甲骨文国际公司 | System and method for supporting security in a multitenant application server environment |
WO2017129138A1 (en) * | 2016-01-26 | 2017-08-03 | 中兴通讯股份有限公司 | Data protection method and apparatus in data warehouse |
US9948655B1 (en) * | 2016-04-15 | 2018-04-17 | AtScale, Inc. | Data access authorization for dynamically generated database structures |
CN108280367A (en) * | 2018-01-22 | 2018-07-13 | 腾讯科技(深圳)有限公司 | Management method, device, computing device and the storage medium of data manipulation permission |
CN109299613A (en) * | 2018-09-03 | 2019-02-01 | 中国平安人寿保险股份有限公司 | The setting method and terminal device of partitions of database permission |
CN109309686A (en) * | 2018-11-01 | 2019-02-05 | 浪潮软件集团有限公司 | Multi-tenant management method and device |
Family Cites Families (5)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN109643242B (en) * | 2016-05-23 | 2023-06-27 | 摩根大通国家银行 | Security design and architecture for multi-tenant HADOOP clusters |
CN107066867A (en) * | 2017-03-11 | 2017-08-18 | 郑州云海信息技术有限公司 | A kind of big data cluster resource allocation methods and device |
CN107196951B (en) * | 2017-06-12 | 2019-02-26 | 北京明朝万达科技股份有限公司 | A kind of implementation method and firewall system of HDFS system firewall |
CN107622211A (en) * | 2017-09-27 | 2018-01-23 | 浪潮软件股份有限公司 | A kind of large data sets monarchial power limit access control method and device |
CN110188573B (en) * | 2019-05-27 | 2024-06-04 | 深圳前海微众银行股份有限公司 | Partition authorization method, partition authorization device, partition authorization equipment and computer readable storage medium |
-
2019
- 2019-05-27 CN CN201910459668.5A patent/CN110188573B/en active Active
-
2020
- 2020-03-23 WO PCT/CN2020/080558 patent/WO2020238359A1/en active Application Filing
Patent Citations (6)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN106462717A (en) * | 2014-06-23 | 2017-02-22 | 甲骨文国际公司 | System and method for supporting security in a multitenant application server environment |
WO2017129138A1 (en) * | 2016-01-26 | 2017-08-03 | 中兴通讯股份有限公司 | Data protection method and apparatus in data warehouse |
US9948655B1 (en) * | 2016-04-15 | 2018-04-17 | AtScale, Inc. | Data access authorization for dynamically generated database structures |
CN108280367A (en) * | 2018-01-22 | 2018-07-13 | 腾讯科技(深圳)有限公司 | Management method, device, computing device and the storage medium of data manipulation permission |
CN109299613A (en) * | 2018-09-03 | 2019-02-01 | 中国平安人寿保险股份有限公司 | The setting method and terminal device of partitions of database permission |
CN109309686A (en) * | 2018-11-01 | 2019-02-05 | 浪潮软件集团有限公司 | Multi-tenant management method and device |
Non-Patent Citations (3)
Title |
---|
MAANAK GUPTA等: "POSTER: Access Control Model for the Hadoop Ecosystem", 《PROCEEDINGS OF THE 22ND ACM SYMPOSIUM ON ACCESS CONTROL MODELS AND TECHNOLOGIES 》, 7 June 2017 (2017-06-07) * |
周霆;张勇;: "基于权限控制的分区操作系统安全数据通信方法", 信息通信, no. 04, 15 April 2017 (2017-04-15) * |
靳永超;吴怀谷;: "基于Neo4j处理大数据中元数据溯源的研究", 现代计算机(专业版), no. 08, 15 March 2015 (2015-03-15) * |
Cited By (11)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
WO2020238359A1 (en) * | 2019-05-27 | 2020-12-03 | 深圳前海微众银行股份有限公司 | Partition authorization method, apparatus and device, and computer-readable storage medium |
CN110619226A (en) * | 2019-09-12 | 2019-12-27 | 秒针信息技术有限公司 | Platform-based data processing method, system, equipment and storage medium |
CN111797424A (en) * | 2019-11-26 | 2020-10-20 | 北京京东尚科信息技术有限公司 | Method and device for processing request |
CN111177743A (en) * | 2019-12-06 | 2020-05-19 | 西安交通大学 | Credit big data oriented risk control method and system thereof |
CN111177743B (en) * | 2019-12-06 | 2022-02-22 | 西安交通大学 | Credit big data oriented risk control method and system thereof |
CN111125767A (en) * | 2019-12-26 | 2020-05-08 | 秒针信息技术有限公司 | Dynamic desensitization method, apparatus, electronic device and computer-readable storage medium |
CN111274167A (en) * | 2020-01-21 | 2020-06-12 | 李岗 | Method and system for protecting media data |
CN111651122A (en) * | 2020-05-20 | 2020-09-11 | 远景智能国际私人投资有限公司 | Data deleting method, device, server and storage medium |
CN111651122B (en) * | 2020-05-20 | 2023-07-28 | 远景智能国际私人投资有限公司 | Data deleting method, device, server and storage medium |
CN112257097A (en) * | 2020-11-23 | 2021-01-22 | 浪潮云信息技术股份公司 | Partition authority management method based on distributed database |
WO2023173908A1 (en) * | 2022-03-17 | 2023-09-21 | 华为云计算技术有限公司 | Method, apparatus and system for accessing file, and storage medium |
Also Published As
Publication number | Publication date |
---|---|
WO2020238359A1 (en) | 2020-12-03 |
CN110188573B (en) | 2024-06-04 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
CN110188573A (en) | Subregion authorization method, device, equipment and computer readable storage medium | |
WO2022126968A1 (en) | Micro-service access method, apparatus and device, and storage medium | |
CN111488595B (en) | Method for realizing authority control and related equipment | |
CN109688120B (en) | Dynamic authority management system based on improved RBAC model and Spring Security framework | |
US10055561B2 (en) | Identity risk score generation and implementation | |
US9852206B2 (en) | Computer relational database method and system having role based access control | |
CN110443059A (en) | Data guard method and device | |
US6745332B1 (en) | Method and apparatus for enabling database privileges | |
CN108701182A (en) | The data management of multi-tenant identity cloud service | |
CN110543464A (en) | Big data platform applied to smart park and operation method | |
CN103473636B (en) | A kind of system data element of collection, analysis and distribution network business information | |
CN110493308B (en) | Distributed consistency system session method and device, storage medium and server | |
CN111709046A (en) | User permission data configuration method, device, equipment and storage medium | |
CN102222005A (en) | Service model-oriented software running platform and running mode thereof | |
CN102222191A (en) | Loose coupling role authorized-type implementation access control method and system thereof | |
Varga et al. | Introducing Microsoft SQL Server 2016: Mission-Critical Applications, Deeper Insights, Hyperscale Cloud | |
CN101594386B (en) | Method and device for constructing reliable virtual organization based on distributed strategy verification | |
CN111274569A (en) | Research, development, operation and maintenance integrated system for unified login authentication and login authentication method thereof | |
CN111444523A (en) | Artificial intelligence modeling and service management platform | |
Cai et al. | Distributed management of permission for access control model | |
US20230412647A1 (en) | First class database object server application | |
Xi et al. | Decentralized access control for secure microservices cooperation with blockchain | |
CN108268769A (en) | The method and system of data access entitlement are performed to user | |
Amalarethinam et al. | A study on performance evaluation of peer-to-peer distributed databases | |
US20200151346A1 (en) | Method and system for implementing a cloud machine learning environment |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
PB01 | Publication | ||
PB01 | Publication | ||
SE01 | Entry into force of request for substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
GR01 | Patent grant | ||
GR01 | Patent grant |